The National Privacy Commission (NPC) warned business establishments that they could face hefty fines and jail time if they don’t cease from using for marketing purposes data collected from their customers’ contact tracing forms.

In a statement, the NPC said it has received reports from citizens complaining of “several business establishments – from a mall, fast-food and drugstore chains, and supermarkets to a European fast-fashion retailer and a North American coffee shop franchisee” using contact-tracing data to promote their services and products.

“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” NPC Commissioner Raymund E. Liboro said in a statement Monday.

The NPC warned that businesses caught using or mishandling customer data in contact tracing forms might be penalized under the DPA with fines of up to P5 million and an imprisonment of up to six years, depending on the violations committed.

The Privacy Commission said that the complaints prompted them to check the establishment’s compliance with the Data Privacy Act (DPA) and the guidelines issued by the Commission and other government agencies.

The Privacy Commission said that their move to check the companies’ compliance to data protection and privacy rights is “pro-consumer and pro-business” that “would enable businesses to gain the trust of customers and support government contact-tracing efforts.”

“Building trust is especially crucial now as we begin to open the economy gradually” Liboro said adding that “building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data.”

NPC Director Olivia Khane S. Raza advised business establishments to devise a reasonable way to collect customers’ data without any accidental and unauthorized viewing of the contact tracing forms.

“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations,” she said.

The NPC recently met with data protection officers (DPOs) from the Privacy Council for the retail and manufacturing sector to guide their contact-tracing practices.

Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector, said retailers must base their contact-tracing efforts on the Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response guideline from the NPC and the Department of Health and the other from the Department of Trade and Industry, and Department of Labor and Employment called “Supplemental Guidelines on Workplace Prevention and Control of COVID-19”.

Boquiren, who is also DPO of conglomerate San Miguel Corp., advised business establishments to to protect customers’ data throughout the data collection and processing cycle (storage, use, transfer, and destruction) of customers’ data was always protected.

“As we start to support our favorite stores physically, we need to accomplish contact-tracing forms with correct information so authorities can contact us, just in case,” she said adding that establishments “have to assure customers that personal information collected will be secured and used only for the primary purpose of contact tracing.”

She also appealed for mall operators to ensure that their retailers “use proper contact-tracing forms and prevent the unauthorized use of customers’ contact details.”  Rommel F. Lopez